bitrat | 6f8188ae7ae8a5b3e3803ba7ff59bb2b5394bd990fa042ff8a4564f060989e27

General

Target

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
Size

13KB
MD5

a1a52e047f098572bc4f1020cbe19970
SHA1

f3b05c953cc2d459985e47f41609620cb4c59437
SHA256

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2
SHA512

3a5914dc3655b53dcb36fbaf18ad170029c15933e4a9c0808a3c95179da6bff246a10dcf5cc048392dff988dc2ba3bde6f89f3a1ab9914b8c3535a95c8f70699
SSDEEP

192:6ZYUc8f/ftGgkpErlc/vl20JFi1TTgJMRqIcuuufNva:6ZddGgkpSWxuTEKRdN

Score

10^/10

bitrat xenarmor password persistence recovery trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.139.128.233:3569

Attributes

communication_password
ce952068942604a6d6df06ed5002fad6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1508-160-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/1508-162-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/1508-163-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/1508-165-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/1508-166-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qgvgnoefmt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cwzux\\Qgvgnoefmt.exe\""	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

pid	process
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

description	pid	process	target process
PID 3764 set thread context of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 set thread context of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exe5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

pid	process
220	powershell.exe
220	powershell.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

pid process

444 5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exepowershell.exe5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

description	pid	process
Token: SeDebugPrivilege	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeShutdownPrivilege	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

pid	process
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
"C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA0AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
-a "C:\Users\Admin\AppData\Local\707c9a17\plg\znrtPTxx.json"
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
4⤵
PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\707c9a17\plg\znrtPTxx.json

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/220-144-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/220-141-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/220-142-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/220-143-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/220-137-0x0000000000000000-mapping.dmp

Download
memory/220-138-0x0000000002960000-0x0000000002996000-memory.dmp

Filesize
216KB

Download
memory/220-139-0x00000000051D0000-0x00000000057F8000-memory.dmp

Filesize
6.2MB

Download
memory/220-140-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/444-169-0x0000000074780000-0x00000000747B9000-memory.dmp

Filesize
228KB

Download
memory/444-168-0x0000000074400000-0x0000000074439000-memory.dmp

Filesize
228KB

Download
memory/444-158-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/444-151-0x0000000000000000-mapping.dmp

Download
memory/444-157-0x0000000074780000-0x00000000747B9000-memory.dmp

Filesize
228KB

Download
memory/444-156-0x0000000074400000-0x0000000074439000-memory.dmp

Filesize
228KB

Download
memory/444-155-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/444-154-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/444-153-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/444-152-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1508-159-0x0000000000000000-mapping.dmp

Download
memory/1508-165-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1508-166-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1508-163-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1508-162-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1508-160-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1796-146-0x0000000000000000-mapping.dmp

Download
memory/3380-148-0x0000000000000000-mapping.dmp

Download
memory/3512-164-0x0000000000000000-mapping.dmp

Download
memory/3764-136-0x00000000080C0000-0x00000000080E2000-memory.dmp

Filesize
136KB

Download
memory/3764-132-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/3764-135-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/3764-134-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/3764-133-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/4264-147-0x0000000000000000-mapping.dmp

Download
memory/4300-149-0x0000000000000000-mapping.dmp

Download
memory/4680-145-0x0000000000000000-mapping.dmp

Download
memory/4884-150-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3764 wrote to memory of 220	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	powershell.exe
PID 3764 wrote to memory of 220	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	powershell.exe
PID 3764 wrote to memory of 220	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	powershell.exe
PID 3764 wrote to memory of 4680	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4680	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4680	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 1796	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 1796	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 1796	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4264	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4264	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4264	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 3380	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 3380	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 3380	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4300	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4300	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4300	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4884	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4884	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 4884	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 3764 wrote to memory of 444	3764	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 444 wrote to memory of 1508	444	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 1508 wrote to memory of 3512	1508	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 1508 wrote to memory of 3512	1508	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe
PID 1508 wrote to memory of 3512	1508	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe	5011f03924e939955dd3868c86998398ce022fb726ec701921377bf13ea341a2.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads